2 ConfigureFCS

Microsoft Forefront Client Security Tarek Online!
Tarek online! Page 1- 15

System Center Operations Manager 2007 in Egypt
http://tarek-online.blogspot.com
Cairo-Egypt

Microsoft Forefront Client Security

Configure Microsoft forefront client security

Friday , 13 July 2007
Version: 1.00

Prepared by:
Tarek Ismail Mohamed
Infrastructure Consultant
Management Solution Consultant
Tarek_877@hotmail.com

Cairo-Egypt
Table of Contents

1. OVERVIEW .................................................................................................. 3
2. CONFIGURE WINDOWS CLIENT FIREWALL .................................................. 4
3. CONFIGURE WSUS SERVER ......................................................................... 5
4. DEPLOY CLIENT SECURITY .......................................................................... 6
5. CREATE CLIENT SECURITY POLICY .............................................................. 7
6. DEPLOY CLIENT SECURITY POLICY ........................................................... 12
7. DISTRIBUTING DEFINITION AND ENGINE UPDATES ................................. 14
8. CONTROLLING ACCESS TO FCS MOM CONSOLES ........................................ 15

Cairo-Egypt
1. Overview
After install Microsoft forefront client security, we need to configure the server and all
related component to get the best result from FCS server.
The following items will be discussed through this guide:

Configure windows client firewall
Configure WSUS server
Deploy client security
Manually deploy forefront client security client
Create client security policy
Deploy client security policy
Distributing definition and engine updates
Controlling access to FCS MOM consoles

Cairo-Egypt
2. Configure windows client firewall
Before deploy Client Security to client computers, you need to ensure the required
ports are opened between the client and the server
The following table list all ports required to allow communication between the FCS
client and server.

Computer Connection Port (protocols)
Client computers To connection server 1270 (TCP and UDP)
Client computers To distribution server 80 (TCP) or 8530 (TCP) or
custom
The ports are related to FCS communication, this list did not list the ports and
protocol required for GPO and DNS and Kerberos and LDAP queries.
This ports can be opened manually, using the following steps:
From Control Panel, double-click Windows Firewall.
Click the Exceptions tab, and click Add Port.
Type the name, port, and select the protocol type TCP or UDP.
You can configure this ports using GPO , and this is the recommended method:
Open GPMC and use create and link GPO here to create a linked GPO.
Open the GPO , computer configuration , administrative templates, Network ,
Network connections , Windows Firewall, domain profile
Choose Windows Firewall: Allow define port exceptions, choose enable
and click show.
click Add , add the exception using the formula
PORT:Transport:Scope:Status:Name
The policy element will be as below FCS server IP address is 10.0.0.20
1270:TCP:10.0.0.20:enable:1270 TCP
1270:UDP:10.0.0.20:enable:1270 UDP
80:TCP:10.0.0.20:enable:distribution server
8530:TCP:10.0.0.20:Enable:distribution server 2

If you configure the client windows firewall using GPO before, you need to add this
firewall element only.
Cairo-Egypt
3. Configure WSUS server
Microsoft WSUS server Ver. 3 will be configuring with the following:

Configure products, and classifications:
Open WSUS console, choose options
Click products and classifications.
In products tab , choose forefront client security
In classifications tab, choose critical update, definations updates, security
updates, and updates.

Configure synchronization schedule:
Click synchronization schedule.
Choose synchronize automatically, and choose synchronizations per day
to be 4 times.

Configure Automatic approvals:
Click Automatic approvals.
Click new rule, and type the name as FCS updates.
Configure the rule as when an update is in critical updates ,definition
updates, security updates, updates.
When the updates in forefront client security.
Approve the update for all computers.
Cairo-Egypt
4. Deploy client security
There are two options to install client security:

Download and install client security from the distribution server:

This is the easy way to install client on the required machine
This option you need to target this computer with at least one policy from the
client security server.
After create and deploy the policy, the process will start automatically.

Deploy the client using command line:

Use this option to deploy client before deploy the forefront security policy.
Use this option if the computers are not a domain member.
You can use the command line to deploy clients using SMS 2003, SCCM , SCE
2007 , or GPO.
The command is located at CD Drive: \Client for 32 Bit clients , or CD
Drive:\Client\X64 for 64 Bit Clients.

Command line Parameter:

ClientSetup.exe / MS <MOM Collection Server Name> / CG <MOM Config Group Name> [ / I <I nstall
Path>] [ / L <Log Path>] [ / R] [ / NOMOM]

/MS Collection Server Name (Required if /CG present)
/CG Config Group Name (Required if /MS present)
/I Install Directory (Optional)
/L Log Directory (Optional)
/R Force reinstall of all MSIs (Optional)
/NOMOM Installs all MSIs except MOM agent (Optional)

Example:

ClientSetup.exe / MS TAR-FCS01 / CG FCSMG /R
ClientSetup.exe / MS TAR-FCS01 / CG FCSMG / I c:\program files\forefront\ / R

The command line installation will be useful in the following cases:
Dont want to deploy any client policy at this time
Dont want to deploy MOM client agent.
Use GPO to deploy the client security.
Use the SCCM, SCE 2007, SMS 2003 to deploy client.

Cairo-Egypt
5. Create client security policy
After decided, how we will deploy the client security, we need to control the client
using security policy.
A Client Security policy is a collection of settings that you can apply to many client
computers.
Use Policy Management tab in the Client Security console to create, modify, delete,
and deploy the policy.
When creating the policy, it will not affect any computer until deploy this policy.
To create a policy, open client security management console, and choose Policy
Management tab.

To create a new policy, simply click New.
Type the policy name and comments about this policy.

Cairo-Egypt
Click protection Tab, configure virus protection, and spyware protection to On
Virus protection, and spyware protection can be configured to be on , off, User
controlled.
On Malware scanning, click use real-time protection ( scan programs and
services when they are accessed) , Run a Scan at this time.
Choose to run scan every day at 12:00 PM, the type of the scan will be Full Scan.
Choose Run a quick scan at set interval(hours) and choose 12 hours.
You can create only one schedule for both virus and spyware protection.
The Task Scheduler service must be enabled and running on client computers to
run scheduled and interval scans.
On security state assessment, choose scan at set interval (hours) to be 12
hours.
For scheduled events, Client Security creates hidden tasks on client computers.
To view hidden tasks, open Scheduled Tasks, click Advanced, and then click View
Hidden Tasks.
You can allow user to schedule scans, select User controlled on start time Under
Malware scanning.

Cairo-Egypt
On advanced tab, we will configure malware definition updates, malware scan
options, exclusions from malware scans, and client options.
On malware definition updates, select the Check for updates before starting a
scan check box , this option will configure the client to check the distribution server
for update before start scan
Select the Check for updates at set interval check box and type the number of
hours between definition-update.
Select the Check for updates on Microsoft Update when WSUS is unavailable
check box, to allow client to check for update in case the WSUS server is unavailable
and to fallback to Microsoft Update.
On malware scan options, choose scan archive files, and Use heuristics to
detect suspicious files.
On exclusions from malware scans, configure the file and folder paths and
extensions which will be excluded from the scan.
On Client Options, choose User can view all Client Security agent settings and
messages, only administrators can change Client Security agent settings, and
Allow users to add exclusions and overrides.
By configure the above Client options, View notification area icon and status
messages will be available to all users , Open Client Security agent and run
scans, Change user-controlled settings, and Add exclusions and overrides will
be available only to the local Administrators.
Choose Prompt users when unclassified software is detected, to allow users to
control unclassified software to run or not.

Cairo-Egypt
On Overrides tab, configure overrides to default malware responses and to view
the default response, category, and severity of malware.

On reporting tab, specifies the frequency with which alerts are generated by
computers protected by this policy.
Alert level 5 results in the most alerts, and alert level 1 results in the fewest.
Choose Alert 4-High, so all alerts for all client security conditions except a
successful response to malware on the network.
On logging , by default Client Security generates events on client computers for
many events
Dont select Do not log events for files marked "Unknown"
on SpyNet, choose basic so Client Security sends basic information about
detected items and the actions you apply. In some instances, personal
information may be sent but no information is used to contact users.
In case the internet access is provided using Proxy server ,select Use other proxy
server and port and type the proxy name or IP address and port used as
ISA.TAREk.LOCAL:8080
Click OK to finish the policy.
You can create a lot of policy but none of these will be active until you deploy it.
Cairo-Egypt

At any time you can Edit this policy and change the client setting
You can copy the policy setting to new one and edit some setting and save it
with new name.

Cairo-Egypt
6. Deploy client security policy
After creating the required policy, you need to deploy this policy.
Policy can deployed for OU in active directory, or a computer group in active
directory, or can be exported to file and used by command line for
workgroup computers and also domain member computers.
Choose the policy you want to deploy and click deploy.
Choose the right way you need to deploy the policy by add OU , Add Group ,
Add GPO ,or Add File.
Client Security policies apply only to computers, not to user accounts.
To remove previously deployed policy, you must either deploy a different
policy to the computer or you undeploy the unwanted policy.
Security-group policies Add Group override policies deployed to OUs Add
OU.

After deploy the policy, a new GPO will be created to apply the setting of client
security
If you deploy the policy on an OU the policy name will be as
FCS-policy name - GUID-2
If you deploy the policy to a security group the policy name will be as
FCS-policy name - GUID-3
If you deploy the policy for a security group, the created GPO will be linked to
the domain level.

Cairo-Egypt

When you deploy the policy to a File, a registry file will be created.
Use the FCSLOCALPOLICYTOOL.EXE tool to deploy the policy , the tool is located at
CD ROM :\CLIENT folder or CD ROM :\CLIENT\X64
To deploy the policy the command
FCSLOCALPOLICYTOOL.EXE /I TarekPolicy.reg /F
/F used to dont ask for confirmation
To delete the deployed policy use the command
FCSLOCALPOLICYTOOL.EXE /D

Cairo-Egypt
7. Distributing definition and engine updates
Client Security is designed to use WSUS to distribute definitions and scan-engine
updates to client computers.
You can download and install update manually from the link below:
http://technet.microsoft.com/en-us/forefront/clientsecurity/bb508812.aspx
The definitions that WSUS downloads are contained in update files.
The updates can be for definitions, for the scan engine.
So you need to choose definitions and updates in WSUS setting
The files are digitally signed.
The size of update is varied, the base set of definitions is about 1 megabyte (MB),
and the delta set is about half that size or 500 kilobytes (KB).
When the scan engine is included in an update, the file size can reach 15 MB.

Cairo-Egypt
8. Controlling access to FCS MOM consoles
After the installation of Microsoft forefront client security server, you will get four
groups located at the local security group on the server:
MOM administrators: MOM Administrators can view and modify settings
in the Operations Console and in the Operations node, Management Packs
node, and Administration nodes in the MOM Administration Console.
MOM authors: MOM Authors can view and modify settings in the
Operations Console, and in the Operations node and Management Packs
node in the MOM Administration Console.
MOM service: Intended solely for use by MOM services and processes.
Individuals should not be a member of this group.
MOM users: MOM Users can view and modify settings in the Operations
Console and the Operations node of the MOM Administration Console.

To allow access to MOM Operator console, add the user or the group to Mom
Users, and Distributed COM Users.
To allow access to MOM administrator console, add the user or the group to
Mom Authors, and Distributed COM Users.

2 ConfigureFCS

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

2 ConfigureFCS

Încărcat de

Drepturi de autor:

Formate disponibile

Microsoft Forefront Client Security Tarek Online!

Tarek online! Page 1- 15

S-ar putea să vă placă și